Identity and access governance (IAG) is defined as (1) the process of requesting, approving, certifying and auditing access to applications, data and other IT services; and (2) the process of delivering security and business intelligence (BI) on how identities are created, managed and used for access. Software tools and services that provide support for most or all of this process are known as IAG products.

The IAG market (also referred to in vendor marketing as "identity governance," "access governance" and "role management") is not new. While first appearing as part of user administration and provisioning (UAP) in the late 1990s, distinctive IAG tools appeared between 2004 and 2006 as a response to concerns by clients about regulatory compliance involving access to critical IT resources. Concerns were also raised about the inability of UAP tools to be usable by the non-IT professional in addressing compliance requirements. Although UAP provided a user interface (UI) and reporting that could be leveraged by IT administrators, the ability to request, approve and certify specific access to applications, data and IT services — and then have that process audited — was not addressed adequately by UAP. A business-friendly UI and reporting capability that emphasized response to compliance needs and provided visibility into the identity change management process evolved first as a separate feature set, then later as a product.

Today, IAG is the fastest-growing sector of identity and access management (IAM). Gartner estimates that 2011 IAG product sales alone ranged from $200 million to $300 million, with estimated growth rates in 2012 continuing to exceed 35% to 40% for most IAG vendors. Consulting and system integration service sales for IAG are believed to be at least twice that. Gartner believes that the demand for IAG is just beginning, with a peak period for this functionality still four to six years in the future. Thus, most IAG vendors (and vendors with products that have IAG features) are enjoying increased sales — some more than others. The market can best be characterized by the quote "a rising tide lifts all boats," meaning even vendors with mediocre IAG capability are having some success. Although some early indicators show that market consolidation via acquisition may begin in 2013, the numerous vendors in and entering the IAG market will ensure much choice for buyers over the next two years. The disaggregation of IAG functions may also bring vendors into the IAM market that were not previously seen or thought of as IAM vendors.

Features of IAG products are still evolving, as is the relationship of IAG to other IAM and security products. New methods of delivering IAG, including software as a service (SaaS), are being tested. New methods of accessing IAG tools and services via mobile devices are also being explored. Although IAG tools and services are starting to mature, an architectural trend within the industry is reshaping the feature set. The UAP vendors that first introduced IAG features are redesigning their solutions to deliver "super IAG" functionality — that is, IAG with UAP fulfillment and synchronization capabilities. This means that user provisioning interfaces are being redesigned for business use, and the provisioning workflow is expanding to include access requests, approval and certification functions, and other steps to update UAP with IAG functionality. IAG vendors are doing the opposite — incorporating UAP connector architecture and fulfillment functions to existing IAG features. This is essentially redefining the IAG market to include UAP.

A market is also evolving for more advanced IAG tools that provide design, modeling, analytics and reporting functions for identity and access alone, without the approval, certification, and general administration and fulfillment components. These same tools initiate the creation of a formal identity data and log model for defining the data ecosystem to be most effective for all IAM tools, including IAG. Gartner believes this will give rise to a revised view of IAG to mean "identity governance and administration" of access. Products will divide between those focused on day-to-day administration activities for access request, approval and certification, and those devoted to mining, discovery, modeling, analytics and forensics capabilities — that is, identity and access intelligence (IAI). Advanced analytics is one of several criteria particularly important to a vendor's road map and vision.

IAI products deliver advanced data model design, pattern analysis, forensics, and other advanced analytics and reporting capabilities that are not generally found in today's products. The identity and access data collection, correlation and analysis have expanded to include input from security information and event management (SIEM), data loss prevention (DLP), and other IT security and system tools. For SIEM and DLP, it also means that IAG data can be used in its own collection, correlation and analysis. A renewed focus on access governance for data by incorporating new features (and acquiring other vendors) to govern access to unstructured and semistructured data will be a trend for 2013 and 2014. Improved integration with privileged-account activity management (PAAM) will also occur.

IAG technology provides:

Access policy management

Administration of access entitlements (known also as user permissions, rights or authorizations)

Role management (as one function of entitlement administration)

Access request

Access certification

IAG technology provides these functions with the following:

Administrator and business UIs

A workflow system for automating IAG processes

An identity repository or warehouse for IAG-specific information (could be more than one repository)

A connector architecture or service bus architecture for linking the IAG product with required resources

Mining and discovery tools that permit the construction of identity repository components, such as roles and entitlement catalogs for applications

A complete audit and reporting capability as part of the systems above or stand-alone

IAG deployments are often funded for one or more of the following reasons:

Compliance reporting and control driven by regulation

Accountability and transparency of access to critical business resources in an attempt to better manage business risks and protect privacy

Streamlining an intensely manual process for access request, certification, and reporting for efficiency and cost savings

Enterprises should consider IAG products from vendors in every quadrant of this Magic Quadrant based on their specific functional and operational requirements. Product selection decisions should be driven by organization-specific requirements in areas such as:

The relative importance of access request and certification

The scale of the deployment

IAG product deployment and support complexity

The IT organization's project deployment and technology support capabilities, maturity and experience

IAG requirements

Integration with other established IAM systems

IT managers considering IAG deployments should first define and/or determine their requirements for the governance of identity and access functions. The requirements definition effort should include capabilities that will be needed for subsequent deployment phases to establish organizational structure and for training. The project will benefit from the input of other IT groups, including audit/compliance, IT operations and application owners, and security administration. A formal assessment of existing capabilities to address these requirements will then lead to a gap analysis and feature list required to fill that gap. Enterprises should describe their IAM deployment topology so that prospective IAG vendors can propose solutions to company-specific deployment scenarios. The requirements definition effort should include later-phase deployments beyond the initial use case, because this is an ongoing process, not a one-time effort. This Magic Quadrant evaluates technology providers with respect to the most common technology selection scenario — an IAG project that is funded to satisfy access request and certification needs for compliance through accountability and transparency of access.

In summary, enterprises should:

Use IAG products to establish an identity data model and data warehouse for governing the identity life cycle, particularly for access.

Choose IAG products that provide a business-friendly user experience and that best address your enterprise process for access request, certification and audit reporting.

Leverage the data created by your established identity administration and access management tools to provide IAI to IAG and to serve as fulfillment mechanisms for IAG.